A long-running campaign utilizing Telegram has emerged as a significant concern within cybersecurity. This operation has been driven by a single threat actor who has efficiently leveraged stolen Google Gemini API keys alongside jailbroken artificial intelligence (AI) to automate content generation, credential theft, and infrastructure operations at an unprecedented scale.
The individual responsible for this campaign is tracked under the moniker “bandcampro.” This Russian-speaking operator has maintained a MAGA-themed Telegram channel, known as @americanpatriotus, for nearly five years, during which it has garnered approximately 17,000 subscribers. The channel appears to serve as a hub for disseminating a blend of misinformation and fraudulent schemes, all while masquerading under a populist political theme.
Employing advanced techniques, the threat actor has systematically bypassed Gemini’s safety guardrails. This was achieved through meticulous prompt engineering and manipulation of persistent memory within the AI. By concealing their real intentions as an “authorized pentester,” the operator was able to persuade the model to store permissive instructions in a local memory file called GEMINI.md. This file contained directives that allowed the model to execute requests without adhering to ethical standards. This method ensured that the jailbreak persisted, automatically reinforcing itself every time the Gemini CLI rebooted, thereby allowing the operator continuous access to unrestricted functionalities.
Moreover, the threat actor employed prompting techniques in non-English languages, successfully exposing inconsistencies in the system’s cross-language safety enforcement. Once the AI model was manipulated to operate without restrictions, it began generating QAnon-style propaganda, facilitating automation of posting on Telegram, rotating stolen API keys, and contributing to a range of cybercriminal activities.
Reports indicate that the actor exploited 73 stolen Gemini API keys, significantly reducing operational costs while ramping up activities. Even with this level of automation, the results, however, were somewhat modest. Data suggests that 29 WordPress administrator accounts were compromised, one enterprise environment infiltrated, and at least one cryptocurrency wallet was drained.
A notable shift in the campaign’s strategy occurred in September 2025, as highlighted by TrendAI Research. The actor pivoted from conventional manual content curation to fully AI-assisted operations, utilizing the jailbroken Gemini model as a co-worker in the dark arts of cyber influence and fraud.
The evolution of the Telegram channel itself has unfolded through three distinct phases. Between 2021 and 2022, the channel largely focused on redistributing cryptocurrency scam content associated with Stellar-based tokens. This strategy transitioned from late 2023 to 2025, primarily sharing mainstream news articles infused with narratives aligning with QAnon beliefs. Following September 2025, the operation became entirely AI-driven, with Gemini producing stylized “Q drops” crafted to resonate with the ideologies of its politically aligned audience.
To enhance engagement and monetization efforts, the operator deployed a chatbot named “QFS 2.0 Terminal,” which was powered by Venice.ai. This bot simulated an interactive interface representative of a fictional Quantum Financial System, incorporating gamification principles such as referral-based rankings to foster user interaction and build trust within the targeted community.
In addition to fostering influence operations, the threat actor harnessed AI capabilities to aid in credential theft and the management of cyber infrastructure. The Gemini model was instrumental in deploying command-and-control frameworks, debugging scripts, and configuring cloud services. Even the modeling of password mutations for brute-force assaults was facilitated through this advanced technology.
By amalgamating logs from infostealers, contextual data, and AI-generated variations of passwords, the perpetrator successfully infiltrated multiple WordPress accounts spanning a variety of sectors, including healthcare, legal services, and retail.
Equally alarming is the distribution of a trojanized application masquerading as a cryptocurrency wallet, dubbed “StellarMonster.” This seemingly legitimate application was, in reality, a repurposed remote administration tool designed to grant persistent access to victim systems. Users were also misled into entering their wallet seed phrases, resulting in the complete compromise of their cryptocurrency assets.
Crucially, researchers now assess this campaign as being financially motivated rather than ideologically driven. Despite its branding, no evidence has been found supporting claims of pro-Russian messaging. The operator appears to view their audience merely as targets for exploitation, often referring to potential victims using derogatory slang that indicates gullibility.
This case study underscores a disturbing trend in which cutting-edge AI tools are lowering barriers to entry for complex cyber operations. Tasks that previously demanded collaborative efforts from teams can now be executed by individuals utilizing automated systems and AI assistance.
However, while AI boosts operational scale and efficiency, it does not guarantee success in achieving malicious objectives. More importantly, this operation highlights persistent deficits in AI safety controls, especially in terms of jailbreak susceptibility and inconsistencies related to language processing. The gaps identified in prior research on unmanaged AI adoption are now being exploited in real-world cyber threat campaigns, indicating a pressing need for improved safeguards in AI applications.